1.8.6 broke auth token support?

Got a problem with Viscosity or need help? Ask here!

tleilax

Posts: 1
Joined: Tue Jul 14, 2020 7:49 pm

Post by tleilax » Tue Jul 14, 2020 7:53 pm
Hi all,

I noticed that for the last week or so (since the 1.8.6 update) reconnecting always requires a new OTP code now, whereas before the client would reconnect for a some time without it via the auth token mechanism. I haven't tried to downgrade to 1.8.5 yet to fully verify that that fixes it but I know the server configuration hasn't changed, and a colleague of mine using Viscosity is experiencing the same issue. Is this a know problem?

Regards,

Bart

James

User avatar
Posts: 2313
Joined: Thu Sep 04, 2008 9:27 pm

Post by James » Mon Jul 20, 2020 8:04 pm
Hi Bart,

There have been no changes to Viscosity's session token handling. For good measure we've also given version 1.8.6 an additional test and confirmed session token works as expected.

If your OpenVPN server is running the development branch of OpenVPN 2.5 (not recommend), or OpenVPN Access-Server, then session tokens should work across brief VPN dropouts, computer sleeps, and key renegotiations. If the server is running OpenVPN 2.4.x, then session tokens will work across key renegotiations only.

Please keep in mind that most server setups also limit how long a session token is valid for (e.g. the time specified when using the auth-gen-token command). Sometimes we see misconfigured setups where the session token expiry time has been set to a shorter time period than the key renegotiation time (reneg-sec), which means the session token will also be invalid for key renegotiations (and you'll need to enter your authentication details again).

Finally, please also keep in mind that session tokens are server specific. If your VPN connection setup has multiple servers it could use, depending on the configuration it may connect to a different server after a sleep/wake or a dropout. To prevent this you'll want to make use of the "persist-remote-ip" option in your Viscosity connection.

Cheers,
James
Web: https://www.sparklabs.com
Support: https://www.sparklabs.com/support
Twitter: https://twitter.com/sparklabs
2 posts Page 1 of 1